This release of the Qualys Cloud Platform version 2.28 includes updates and new features for Cloud Agent, AssetView, Threat Protection, Security Assessment Questionnaire and Web Application Scanning, highlights as follows:
With more web applications exposing RESTful (or REST) APIs for ease of use, flexibility and scalability, it has become more important for web application security teams to test and secure those APIs. But APIs (including REST APIs) introduce some behaviors that make it difficult for web application scanners to test them for vulnerabilities.
New features in Qualys Web Application Scanning (WAS) overcome these difficulties.
When Office Depot went looking for a new vulnerability management system, it picked Qualys’ for several reasons, including the variety and capabilities of its application programming interfaces (APIs). This was the topic of a recent talk by Office Depot Director of Global Information Security Jon Scheidell.
Since deploying Qualys Vulnerability Management (VM) about three years ago, the office supply chain has made ample and effective use of Qualys APIs in ways that have helped improve its overall security posture and its business operations.
“They’re one of the security vendors that does a better job of not only creating APIs for different features but also documenting them very, very well,” Scheidell said during a recent presentation at the Black Hat USA 2016 conference.
Qualys has always prioritized the extensibility of its platform via APIs, starting in the early 2000s with the release of its first product, and it has intensified its API efforts in the last four or five years.
Today, almost all of the major functions of the Qualys Cloud Platform are accessible to third party developers via APIs. In addition to Vulnerability Management, Qualys offers complete API sets for Web Application Scanning, Web Application Firewall, Policy Compliance, Continuous Monitoring, Malware Detection and the platform’s underlying asset management and tagging functionality.
In the end-of-year post last month, I mentioned that SSL Labs APIs had been made available for early access. What that meant was that we wanted some people to have a look at our APIs and play with the open source reference client, but otherwise didn’t want everyone to come at once. After a period of testing, we’re ready to move to the next phase. The APIs (as in the specification, not the implementation) are now considered stable and we’re committed to supporting them for a long period of time. We’re also happy with more people looking at the APIs and using them. The APIs are still running on our development servers and may lack the power of our production cluster, but are otherwise stable and fully production ready. In the following weeks we’ll do some more testing, with the goal of moving the APIs into production by the end of February.
The open source tool setup_scanner enables high-volume programmatic provisioning of QualysGuard scanners before deployment to virtualization infrastructure scanners. Setup_scanner was published on GitHub by Qualys' Jeffrey Leggett.
What’s your name and title?
Jeffrey Leggett, API and Integrations Product Manager at Qualys.
Besides living and breathing Qualys, how do you enjoy spending your free time?
I am an avid CrossFitter and mountain biker. Sleeping and eating rank up there, too.
Tell us more about what your scanner appliance app does.
I’m building an entire automated scanner deployment process for a customer to deploy thousands of scanners — one in every one of their retail stores.
Make your Qualys data your own by synchronizing it locally. Though report templates are an easy way to set up and distribute that data, they are typically not flexible enough to meet the unique requests from unique teams that crop up over time. Synchronizing your Qualys data locally and enabling all teams in your organization to query it locally, will give you the most scalable access to your data.
Mark Alvarez’s submit_ticket script on GitHub is an open source QualysGuard integration app that makes remediation tracking in CA Service Desk easy. Mark described it in detail in the document, CA Service integration app, also known as "Managing Gazillion Vulnerabilities".
1. Tell us your name and recent infosec titles you’ve carried.
My name is Mark Jayson Alvarez. For the past 10 years of my career, my job title has gone through several incarnations. I used to be a “Security Engineer”, a “Systems Engineer, Security”, an “IT Security Administrator”, “IT Security Consultant”, and now my job title says that I am an “Information Security Analyst”. My favorite of all though is when I was still called a “Science Research Specialist” in my first job (a fancy term for Systems Administrator). And since you’ve asked, other titles that I’ve had but never really used except in my CVs are CISSP, CISA, CEH, CISM.
<strong>Multiple scanner appliance selector</strong> is an open source tool written by Michael Calvi that automates the dynamic assignment of scanners to QualysGuard target hosts. The tool helps increase scanning efficiency across large networks. Given the niche problem Michael chose to solve, I wanted to learn more about it.
Earlier today I gave a presentation at RSA Conference 2014 in San Francisco about the 20 Critical Security Controls (CSC) and some ideas on how to implement them using QualysGuard. The document for the 20 CSC provides a number of suggestions for each control, called Quick Wins that point out aspects of the controls that are relatively easy to implement. One example is the detection of new machines, or how to report on machines that do not run an approved version of the operating system.